Arnault在1995年的论文《Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases》提出了一种用于构造强Lucas校验伪素数的方法,本文将对其方法做具体的实现分析。
参考:Albrecht, Martin R., et al. “Prime and prejudice: primality testing under adversarial conditions.” Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018.
设 P P P和 Q Q Q是整数,且 D = P 2 − 4 Q D=P^{2}-4Q D=P2−4Q,则卢卡斯序列 U k U_{k} Uk和 V k V_{k} Vk如下( k ≥ 0 k \ge 0 k≥0):
U k + 2 = P U k + 1 − Q U k , U 0 = 0 , U 1 = 1 V k + 2 = P V k + 1 − Q V k , V 0 = 2 , V 1 = P U_{k+2}=PU_{k+1}-QU_{k},\ U_{0}=0,U_{1}=1\\ V_{k+2}=PV_{k+1}-QV_{k},\ V_{0}=2,V_{1}=P\\ Uk+2=PUk+1−QUk, U0=0,U1=1Vk+2=PVk+1−QVk, V0=2,V1=P
实际上也可以这么理解,设
α
\alpha
α和
β
\beta
β分别是方程
x
2
−
P
x
+
Q
x^{2}-Px+Q
x2−Px+Q的两个根,则有:
U
(
P
,
Q
)
=
{
(
U
k
(
P
,
Q
)
)
}
k
≥
0
=
{
α
k
−
β
k
α
−
β
}
k
≥
0
V
(
P
,
Q
)
=
{
(
V
k
(
P
,
Q
)
)
}
k
≥
0
=
{
α
k
+
β
k
}
k
≥
0
U(P,Q)=\{(U_{k}(P,Q)) \}_{k\ge 0}=\{ \frac{\alpha^{k}-\beta^{k}}{\alpha-\beta}\}_{k\ge 0}\\ V(P,Q)=\{(V_{k}(P,Q)) \}_{k\ge 0}=\{ \alpha^{k}+\beta^{k}\}_{k\ge 0}\\
U(P,Q)={(Uk(P,Q))}k≥0={α−βαk−βk}k≥0V(P,Q)={(Vk(P,Q))}k≥0={αk+βk}k≥0
设
p
p
p是素数,且
g
c
d
(
p
,
2
Q
D
)
=
1
gcd(p,2QD)=1
gcd(p,2QD)=1,则有:
U
p
−
(
x
p
)
≡
0
(
m
o
d
p
)
U_{p-(\frac{x}{p})} \equiv 0\ (mod \ p)
Up−(px)≡0 (mod p)
其中 ( x p ) (\frac{x}{p}) (px)表示勒让德符号。
针对不同的 P P P和 Q Q Q,重复测试Lucas定理的逆否。
如果 n n n是一个合数,满足 g c d ( n , 2 Q D ) = 1 gcd(n,2QD)=1 gcd(n,2QD)=1,如果 U n − ( x n ) ≡ 0 ( m o d n ) U_{n-(\frac{x}{n})} \equiv 0\ (mod \ n) Un−(nx)≡0 (mod n),则 n n n是在参数 ( P , Q ) (P,Q) (P,Q)下的伪素数。
设 p p p是一个素数,且 p ∤ 2 Q D p\nmid2QD p∤2QD,设 p − ( D p ) = 2 k q p-(\frac{D}{p})=2^{k}q p−(pD)=2kq, q q q为奇数,则以下至少有一个条件满足:
p
∣
U
q
or
∃
i
such that
0
≤
i
<
k
and
p
∣
V
2
i
q
.
p \mid U_q \quad \text { or } \quad \exists i \text { such that } 0 \leq i
针对不同的 P P P和 Q Q Q,重复测试Lucas定理2的逆否。
如果 n n n是一个合数,且 g c d ( n , 2 Q D ) = 1 gcd(n,2QD)=1 gcd(n,2QD)=1,设 n − ( D n ) = 2 k q n-(\frac{D}{n})=2^{k}q n−(nD)=2kq, q q q为奇数,且以下至少有一个条件满足:
n
∣
U
q
or
∃
i
such that
0
≤
i
<
k
and
n
∣
V
2
i
q
.
n \mid U_q \quad \text { or } \quad \exists i \text { such that } 0 \leq i
参考:Fran ̧cois Arnault. Constructing Carmichael numbers which are strong pseudoprimes to several bases. Journal of Symbolic Computation, 20(2):151–161, 1995.
以下简称Arnault1995。
在做Baillie-PSW测试的时候,一般采用Selfridge’s Method A方法选择参数。
Selfridge’s Method A:
设
D
D
D为
5
,
−
7
,
9
,
−
11
,
13
,
.
.
.
5,-7,9,-11,13,...
5,−7,9,−11,13,...的第一个元素,且满足
(
D
n
)
=
−
1
(\frac{D}{n})=-1
(nD)=−1,设
P
=
1
P=1
P=1,
Q
=
1
−
D
4
Q=\frac{1-D}{4}
Q=41−D。
构造思路:
假设我们要构造的合数 n n n满足 ( 5 n ) = − 1 (\frac{5}{n})=-1 (n5)=−1,依据Selfridge’s Method A确定的参数应该为 ( P , Q , D ) = ( 1 , − 1 , 5 ) (P,Q,D)=(1,-1,5) (P,Q,D)=(1,−1,5)。
1.设合数 n = p 1 p 2 p 3 n=p_{1}p_{2}p_{3} n=p1p2p3,其中 p i p_{i} pi均为素数,且 p i = k i ( p 1 + 1 ) − 1 p_{i}=k_{i}(p_{1}+1)-1 pi=ki(p1+1)−1, i ∈ [ 2 , 3 ] i\in[2,3] i∈[2,3], k 2 k_{2} k2和 k 3 k_{3} k3均为奇数。
2. p i p_{i} pi必须满足以下条件(Arnault1995 Lemmas 6.1 and 6.2):
(
D
p
i
)
=
(
Q
p
i
)
=
−
1
,
i
∈
[
1
,
3
]
(\frac{D}{p_{i}})=(\frac{Q}{p_{i}})=-1 \ , i\in[1,3]
(piD)=(piQ)=−1 ,i∈[1,3]
在参数
(
P
,
Q
,
D
)
=
(
1
,
−
1
,
5
)
(P,Q,D)=(1,-1,5)
(P,Q,D)=(1,−1,5)的情况下:
(
−
1
p
i
)
=
(
5
p
i
)
=
−
1
,
i
∈
[
1
,
3
]
(\frac{-1}{p_{i}})=(\frac{5}{p_{i}})=-1 \ , i\in[1,3]
(pi−1)=(pi5)=−1 ,i∈[1,3]
可以发现 ( − 1 p i ) = − 1 ⇔ p i ≡ 3 ( m o d 4 ) (\frac{-1}{p_{i}})=-1 \Leftrightarrow p_{i}\equiv3\ (mod \ 4) (pi−1)=−1⇔pi≡3 (mod 4), ( 5 p i ) = − 1 ⇔ p i ≡ 2 or 3 ( m o d 5 ) (\frac{5}{p_{i}})=-1 \Leftrightarrow p_{i}\equiv2 \ \text{or} \ 3\ (mod \ 5) (pi5)=−1⇔pi≡2 or 3 (mod 5),又对 i ∈ [ 2 , 3 ] i\in[2,3] i∈[2,3]来说, p i = k i ( p 1 + 1 ) − 1 p_{i}=k_{i}(p_{1}+1)-1 pi=ki(p1+1)−1。由中国剩余定理可以解得:
{
p
1
≡
3
or
7
(
m
o
d
20
)
p
i
≡
2
or
3
(
m
o
d
5
)
,
i
∈
[
2
,
3
]
\left\{ p1≡3 or 7 (mod 20)pi≡2 or 3 (mod 5) ,i∈[2,3]
3.添加条件确保
k
2
k_{2}
k2和
k
3
k_{3}
k3确实是整数。
{
p
1
≡
k
3
−
1
(
m
o
d
k
2
)
p
1
≡
k
2
−
1
(
m
o
d
k
3
)
\left\{ p1≡k−13 (mod k2)p1≡k−12 (mod k3)
满足上述三个条件的 n n n即为一个强Lucas伪素数。
假设要生成
t
t
t位的强Lucas伪素数
n
n
n,可以联立三个关于
p
1
p_{1}
p1的同余方程:
{
p
1
≡
k
3
−
1
(
m
o
d
k
2
)
p
1
≡
k
2
−
1
(
m
o
d
k
3
)
p
1
≡
7
(
m
o
d
20
)
\left\{ p1≡k−13 (mod k2)p1≡k−12 (mod k3)p1≡7 (mod 20)
通过中国剩余定理,能解出通解 p 1 p_{1} p1和特解 x x x:
M = 20 ∗ k 2 k 3 x = C R T ( [ k 3 − 1 ( m o d k 2 ) , k 2 − 1 ( m o d k 3 ) , 7 ] , [ k 2 , k 3 , 20 ] ) p 1 = k M + x , k ∈ Z M=20*k_{2}k_{3}\\ x=CRT([k_{3}^{-1} \ (mod \ k_{2}), k_{2}^{-1} \ (mod \ k_{3}), 7],[k_{2},k_{3},20])\\ p_{1}=kM+x \ ,k\in \mathbb{Z} M=20∗k2k3x=CRT([k3−1 (mod k2),k2−1 (mod k3),7],[k2,k3,20])p1=kM+x ,k∈Z
我们通过调整通解中的系数 k k k即可得到指定位数的 p 1 p_{1} p1,我们可以通过 t t t来计算 p 1 p_{1} p1的大致系数 k p 1 k_{p1} kp1:
p 2 = k 2 ( p 1 + 1 ) − 1 = k 2 p 1 + k 2 − 1 p 3 = k 3 ( p 1 + 1 ) − 1 = k 3 p 1 + k 3 − 1 n = p 1 p 2 p 3 = k 2 k 3 p 1 3 + D D = p 1 ( 2 k 2 k 3 p 1 + k 2 k 3 + 1 − ( p 1 + 1 ) ( k 2 + k 3 ) ) ) ≈ 2 k 2 k 3 p 2 ≪ k 2 k 3 p 1 3 k p 1 ≥ ( 2 t − 1 k 2 k 3 ) − 3 ( m o d M ) − 1 p_{2}=k_{2}(p_{1}+1)-1=k_{2}p_{1}+k_{2}-1\\ p_{3}=k_{3}(p_{1}+1)-1=k_{3}p_{1}+k_{3}-1\\ n=p_{1}p_{2}p_{3}=k_{2}k_{3}p_{1}^{3}+D\\ D=p_{1}(2k_{2}k_{3}p_{1}+k_{2}k_{3}+1-(p_{1}+1)(k_{2}+k_{3}))) \approx 2k_{2}k_{3}p^{2}\ll k_{2}k_{3}p_{1}^{3}\\ \\ k_{p1} \ge (\frac {2^{t-1}}{k_{2}k_{3}})^{-3} \ (mod \ M) - 1 p2=k2(p1+1)−1=k2p1+k2−1p3=k3(p1+1)−1=k3p1+k3−1n=p1p2p3=k2k3p13+DD=p1(2k2k3p1+k2k3+1−(p1+1)(k2+k3)))≈2k2k3p2≪k2k3p13kp1≥(k2k32t−1)−3 (mod M)−1
在计算出 p 1 p_{1} p1后,通过 p i = k i ( p 1 + 1 ) − 1 p_{i}=k_{i}(p_{1}+1)-1 pi=ki(p1+1)−1, i ∈ [ 2 , 3 ] i\in[2,3] i∈[2,3]计算 p 2 p_{2} p2和 p 3 p_{3} p3,同时需要保证满足 p i ≡ 2 or 3 ( m o d 5 ) , i ∈ [ 2 , 3 ] p_{i} \equiv2 \ \text{or} \ 3\ (mod \ 5)\ , i \in [2,3] pi≡2 or 3 (mod 5) ,i∈[2,3]。
代码如下(sage):
from random import randint
def generate_lucas_pseudoprimes(t):
assert t >= 64, "Smaller numbers you can debug yourself!"
while True:
k2 = randint(1, 200) * 2 + 1
k3 = randint(1, 200) * 2 + k2
if k2 % 5 == 0 or k3 % 5 == 0:
continue
if gcd(k2, k3) != 1:
continue
M = k2 * k3 * 20
x = crt([7, pow(k3, -1, k2), pow(k2, -1, k3)], [20, k2, k3])
k = int((2 ** (t - 1) // (k2 * k3)) ** (1 / 3)) // M - 1
p1 = M * k + x
p2 = k2 * (p1 + 1) - 1
p3 = k3 * (p1 + 1) - 1
if p2 % 5 not in [2, 3] or p3 % 5 not in [2, 3]:
continue
# Enumerating k
while True:
k += 1
p1 = M * k + x
if not is_prime(p1):
continue
p2 = k2 * (p1 + 1) - 1
p3 = k3 * (p1 + 1) - 1
n = p1 * p2 * p3
if n.nbits() < t:
continue
if n.nbits() > t:
break
if not is_prime(p2) or not is_prime(p3):
continue
break
if n.nbits() == t:
break
return n, p1, p2, p3
n, _, _, _ = generate_lucas_pseudoprimes(512)
print(n)
from Crypto.Math.Primality import lucas_test
print(lucas_test(int(n)))
ATFWUS 2023-11-21